ESM: Set Up Notifications

Document created by RSA Information Design and Development on Mar 22, 2017
Version 1Show Document
  • View in full screen mode
  

This topic describes how to configure notifications for event source groups. Notifications are sent when thresholds are not met.

Notifications go hand-in-hand with Thresholds. Before you configure notifications, you should set up Thresholds for an event source group.

Note: After configuring the thresholds for an event source group, if you do not set any notifications, then even if an alarm is triggered, users are not notified. However, all alarms are visible on the Alarms Tab.

Prerequisites

Before you set up notifications for an event source group, you should review the available notification items:

  • Notification Servers: These are the servers that you want to receive notifications from the system. For more details, see the Notification Servers Overview topic in the System Configuration Guide.
  • Notification Templates: These are the available templates for each type of notification. For Event Source Management, default templates are supplied for Email (SMTP), SNMP, and Syslog. You can use these templates as supplied, or customize them if necessary. For more details, see the Templates Overview topic in the Systems Configuration Guide.
  • Notification Output: The outputs contain the parameters for the notification type. For example, an email notification type contains the email addresses and subject for the notification. For more details, see the Notification Outputs Overview topic in the Systems Configuration Guide.

Add Notifications for an event source group

To add notifications for an event source group:

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. Select the Monitoring Policies tab.

  3. In the Event Groups panel, select a group.

    Note: You should have already set a threshold for the group. If not, see Set and View the Thresholds for an Alert Policy to set a threshold, and then return to this procedure. Alternatively, if you have automatic alerting turned on, then you do not need to set thresholds for a policy. Automatic alarms generate notifications without the need to set thresholds.

  4. In the Notifications panel, click 104ApplAdd.png, and from the drop-down menu, select the type of notification you want to add:

    • Email
    • SNMP
    • Syslog

    Note: Default ESM (Event Source Monitoring) templates are provided for each type of notification.

  5. Enter values for the Notification, Notification Server, and Template fields.

    1. For Notification, select from the list, or add a suitable notification type in Notifications, and then select it here.
    2. For the Server, select one from the list, or add a suitable server in Notifications, and then select it here.
    3. For Template, select an available template, or create a suitable template in Notifications, and then select it here.

    Note: If you need to add or edit one of these items, click Notification Settings. A new browser window opens on the Administration > System > Global Notifications page. Use this page to view or update the available Notification items.

  6. Optionally, you can limit the rate of notifications for a policy.

    1. Select Output Suppression to enable setting a limit.
    2. Enter a value, in minutes, for the suppression rate. For example, if you enter 30, notifications for this policy are limited to one notification every 30 minutes.
    3. Click Save.

Here is an example of a monitoring policy that contains a threshold and notification for an event source group.

esm_notifyEx.png

You are here
Table of Contents > Monitor Policies > Set Up Notifications

Attachments

    Outcomes